SEARCH BLOG

Keyword Search

Authors

Date Range

Categories

Cybersecurity Best Practices: Layered Security

Knowing the necessary and appropriate cybersecurity controls to implement within your organization can be tricky, or at least cumbersome. There’s an overwhelming amount of tools and services available, as well as endless pieces of advice to keep in mind as you’re building your security program.

In an effort to help make building, or refreshing, your security program a little easier, today we’re kicking off our “best practices” series. This series will take a deep dive through each of the cybersecurity checklist items outlined in a previous blog to give you a better understanding of why each of these components is essential to creating a secure environment.

We begin this series talking about the importance of layered security and how it benefits enterprises in the long run.

Why layered security?

Layered security, or defense-in-depth security, is an approach to cybersecurity that does not rely on a “silver bullet” solution to counter cyberthreats. Although there are several reasons why a layered security approach is an important and effective cybersecurity best practice, the 3 main reasons we’ll discuss today are:

Too many threats have too many different characteristics. It’s not reasonable or feasible to depend on a single solution to counter all attack types. For example, a Web Application Firewall (WAF), which proactively protects websites and applications from malicious actors by blocking suspicious behavior, isn’t going to stop a spear phishing attack or insider threats, as both of these attacks target very different systems.

If you rely on a so-called silver bullet solution, all you will be given is a false sense of security and an unprotected environment. However, a layered defense strategy allows you to implement a number of security measures to combat a multitude of threats from outside and within your organization, each with their own unique traits.

A single attack is usually made up of a cyber kill chain. This is the lifecycle of a threat from the initial compromise to the end goal, and the steps in between. In most cases, each step can only be detected by a specific type of security control, or a combination of controls.

For example, let’s say there’s a particular attack including:

Reconnaissance: A target ‘victim’ email address is identified

Weaponization: A malicious attachment is created

Delivery: The attachment is sent to the victim via email

Exploitation: The malicious attachment is executed

Installation: The initial attachment downloads and runs a second stage of malware

Command & Control: The second stage malware establishes connections to C2 over https

Here, in the cyber kill chain, you can see multiple points of attack before the threat actor gets to the metaphorical pot of gold. Therefore, having multiple layers of security provides a greater number of defenses. Supposing your email filter fails to detect the attachment, you might have a network security policy and proxy that would prevent the second stage malware from being downloaded even if the end user clicked on the attachment. Basically, if you have multiple layers of security and one of those layers counters a particular step in the kill chain, it might be enough to mitigate the attack.

If one layer is missing, the next one might be able to fend off the attack. One good real-life scenario where a multi-layered approach might have thwarted an attack was WannaCry. People lament the lack of proper patching in the affected organizations and how it might have prevented that ransomware crypto-worm from spreading.

While that’s true, the spread also could have been prevented had the affected organizations adopted a multi-layered approach by 1) minimizing external exposure of services through firewalls/NATs and 2) applying proper (internal) network segmentation. That way, even if the systems were unpatched, the worm wouldn’t have been able to infect other networks or move laterally.

Underneath the layers

From a macro perspective, the layers of security are policy, technology, and training.

You need clear and strong policies to dictate what security controls should be in place. For example, you could have a policy that says, “Be wary when opening email attachments or clicking on links from people you don’t know.”

That policy can then be supported by a technology layer, which would consist of technical elements or sub-layers, like configuring firewall entrance and exit filtering rules, setting up a NAT or reverse proxy, opening only specific ports, and so on.

The last layer ensures that end users, which are almost always the weakest link in a security program, are properly educated about the consequences of failing to adhere to security policies as well as how to uphold those policies. It doesn’t matter how well-thought-out your policies and how state-of-the-art your technologies are, if your end users are not educated enough, your security controls can be at risk of being circumvented.

Ultimate benefits of a layered security approach

In addition to the importance of layered security that we talked about in the first section, which are essentially also the benefits of that approach, there are a few bonuses worth mentioning.

If you institute layered security, you actually gain more flexibility in maintaining an acceptable level of security. To elaborate on that, if you have only one security solution that requires patching (e.g. to prevent a recently known exploit) and that patch somehow can’t be applied to certain systems (this sometimes happens), you’re left with no other option.

But if you can patch the majority of your systems, isolate the ones you can’t patch, and then apply specialized monitoring on those unpatched systems, you still should be able to detect an attack that takes advantage of the known exploit. That’s another benefit of layered security.

In today’s threat landscape, where cyberattacks are usually multi-pronged, multi-staged, and multi-faceted, a layered approach is, realistically speaking, the only way you can truly defend your digital assets.

Troy Dearing | Head of the Threat Resistance Unit

Troy Dearing is the Head of the Threat Resistance Unit and oversees all cyber threat intelligence & threat hunting initiatives. He initially joined Armor’s TRU as a Senior Ethical Hacker leveraging 22 years of expertise in IT and cyber security.Before joining Armor, Troy was a Computer Network Operator for the NSA, where he was tasked with performing Computer Network Exploitation operations. He retired from the Marine Corps after 20 years of service with distinction serving as a network intelligence subject matter expert, instrumental in the creation of a service level course on network exploitation and analysis. Early in his career he was selected for an internship at the NSA’s Red Team which established his foundation in cyber security expertise. He graduated magna cum laude from the University of Maryland University College attaining his Bachelor of Science in Cybersecurity. Troy is a Certified Information Systems Security Professional (CISSP).

The first two stops on our roadshow are next week! We will be in Dallas on the 26th and Houston on the 28th. Register now to reserve your spot. You won't want to miss it! #compliance #cloud #AWS https://t.co/mzIFnPUAib

More than 80% of SMEs are planning to boost their security budget by 14% over the next year, while 89% say they've enhanced their security staff, appointing roles such as CISO, CSO and VP of infosecurity. Read more in this report by Armor and @451Research. https://t.co/Tcl7i0lLjf

Armor exists to protect. Each employee feels our passion, knows the vision and lives the company values. Diversity is key. Every role is important to Armor’s success. We volunteer our best every day and go to any length to ensure our customers are protected.